http_port 80 accel defaultsite=kojipkgs.fedoraproject.org
https_port 443 accel defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2017.squid.cert key=/etc/pki/tls/private/wildcard-2017.fedoraproject.org.key cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3

cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=kojipkgs

cache_swap_low 98
cache_swap_high 99
cache_mem 32 GB
maximum_object_size 200 MB
minimum_object_size 0 KB
cache_replacement_policy heap LFUDA
maximum_object_size_in_memory 100 MB
memory_replacement_policy heap LFUDA

logformat squid  %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
logformat squidmime  %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

refresh_pattern .		1440	100%	10080

#
# Define all our acls here.
#
acl all src all
acl apache rep_header Server ^Apache
acl cachemanager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 443		# https
acl CONNECT method CONNECT
acl our_sites dstdomain kojipkgs.fedoraproject.org kojipkgs01.fedoraproject.org kojipkgs02.fedoraproject.org kojipkgs01.phx2.fedoraproject.org kojipkgs02.phx2.fedoraproject.org
acl phx2 src 10.5.125.0/24 10.5.127.0/24 10.5.129.0/24
# The stg builders in the createrepo channel need access to repos
acl phx2-stg src 10.5.128.84/32 10.5.128.85/32 10.5.128.86/32 10.5.128.87/32 10.5.128.69/32
acl pdc src 10.5.126.134/32
acl proxies src 10.5.126.51/32 10.5.126.52/32 ::1
acl repo_url urlpath_regex -i ^/repo/
acl kojipkgs urlpath_regex -i \.(rpm|log|sig)$
acl mash urlpath_regex -i ^/mash/
acl compose urlpath_regex -i ^/compose/
acl nonredist urlpath_regex -i openh264

#
# Here is where we use the above acls
#

# Allow phx2 and stg builders in the createrepo channel to repos dir and deny everyone else
http_access allow phx2 repo_url
http_access allow phx2-stg repo_url
http_access deny repo_url

# Only allow cachemanager from localhost
http_access allow cachemanager localhost
http_access deny cachemanager

# Let the pdc-backend inspect the composes
http_access allow pdc compose

# Let the proxies access things
http_access allow proxies
follow_x_forwarded_for allow proxies

# Do not allow non safe ports or connect on anything but ssl ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Allow our sites and localhost
http_access allow our_sites
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

cache_peer_access kojipkgs allow our_sites
cache_peer_access kojipkgs deny all

# Do not cache mash or compose data
cache deny mash
cache deny compose

# Do not cache any non-redistributable content
# (this would cache the HIT for sign-bridge and then serve it to others)
cache deny nonredist

# Do cache all rpms/log/sigs otherwise
cache allow kojipkgs
cache deny all

coredump_dir /var/spool/squid

# put the pid in the tmpdir with worker ipc sockets
pid_filename /var/run/squid/squid.pid

# Run in smp mode with 8 workers
# smp mode seems to cause problems with partial downloads and hangs. 
#workers 8

# In smp mode you have to specify per worker cache dirs
# Also you have to manually run squid -z -F -f /etc/squid/squid.conf
# to create these dirs. 
#if ${process_number} = 9
#       # nothing
#else
#       cache_dir ufs /var/spool/squid/${process_number} 10000 16 256
#endif
